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Quick tntroductin n to Certificate Revocation Trees (CRTs) 

ThU' docuntfint Qs^umzs c basic undmsanding of secure ka^ functions, certificates, certificate 

revocation iisis, etc. 

Introduction 

When a party in a cryptographic protocol (such as a web browser or server) verijfies a 
certificate, it must perform a series of tests to determine whether it is acceptable. One 
critical test is to determine whether the certificate has been revoked. 
, The traditional solution to the revocation problem involves certificate revocation lists. 
Each CA pubUshes signed lists of revoked certificates. The verifier downloads these lists, 
checks the signature on the list, makes sure the lisl is recent, the date of the list, and 
searches the list to make sure that the serial number of the cenificate in question is not on 
the list. CRLs cause a variety of problems, most notably that the verifier must have an up- 
to-date list of ail revoked certificates fi-om the CA, a list which could potentially become 
very large. 

CRTs make it possible for the verifier (any Internet or other application using 
certificates) to obtain a compact, time-critical proof that any certificate has not been 
revoked. A system based on CRTs consists of three major components; CRT issuance, 
confirmation issuance (of cenificate status) and verification (of such confirmation), 

CRT Issuance 



To produce a CRT one must first obtain a set of aU revoked certificates fi*om the CA(s) in 
the tree. These would typically come fi-om CRLs. but revocations could also come fi-om 
other sources such as users revoking their own certificates. Actual revocation policies are 
determined bj' each CA. 

Any revoked certificate can be uniquely identified by its CAs pubUc key (or the hash of 
the public key) and the certificate serial number. For any CA, there may be zero or more 
revoked certificates. 

Imagine a tree with three CAs with public key hashes CA, < CA: < CA3, where CA^ has 
revoked 4 certificates (156, 343, and 344), CAa has revoked no certificates, and CA3 has I 
revoked certificate (987). The CRT issuer can now make the following statements about 
certificate serial number X from a CA whose public key hash is CAx: 

Then: Unknown CA (revocation status unkaowTi) 

Tbien: X is revoked if and only if X = -oo. 

Then: X is revoked if and only if X - 156. 

Then: Xi5rc\'ofa?dif andonly if X=» 343. 

Then: X is revoked if and only if X = 344. 

Then; Unknown CA (revocation stams unknov^ii). 

Then: X is rei'oked if and only if X = -oo. 



If: -co<CAx<CA, 

If: CAx = CAi and -ooiX < 156 

Lf: CAx=CAt andl56 5X<343 

If: CAx - CA, and 343 < X < 344 

If: CAx = CA, and344iX<oo 

If: CA» < CAx < CAj 

If: CAx-CA:and-oo^X<oo 
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If: CA:<CAx<CA, 

If: CAx-CAjaiid-oosX<9B7. 

If: CAx-CA3and987sX<oo 

If: CA3<CAx<oo 



Then: Unknown CA (revocauon status unknown). 
Then: X is revoked ifand only if X = -«. 
Then: X is revoked if and only if X = 987. 
Then: Unknown CA (revocation status unknown). 



Note that for any C Ax and X there is a smgle appropriate statement above whidh provides 
all known information about whether X is revoked. Furthermore, no statement can 
accidentally be applied to an inappropriate certificate- 

The CRT issuer now builds a set of data structures which express the statements above. 
Note that only two basic types of data structures are required: those which specify a range 
of unknown CAs and those which specify a range of certificates in which the lower 
endpoint is revoked and all larger certificates in the range are valid. 

The CA then builds a binary hash tree with hashes of the data structures as leaves. For the 
example above, there would be eleven leaf nodes (No..No,io), where Nou is the secure hash 
of the structure expressing the statement above. 




Wherever two arrows converge on a single node (such as N2,o is produced fi-om Ni^ and 
N,^ ), the ngbt-hand node is computed as the secure hash of the left-hand two nodes with 
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the upper node hashed first. For exan^le, Ni^o would equal H(Ni^ | Nu). where T 
denotes concatenation. A nodes with a single arrow is equal to the node to its left (i.e., 
N,x,] = N2,;). Note that the root node (Ni^o) isafunctionof all leaf nodes (Ng,o . .No,io). 
After producing the entire tree, the issuer digitally signs the root node along with 
supporting information (like the date and time of the tree issuance). 

Confirmation issuance and Verification 

To determine the revocation status of a certbScate, the verifier needs the appropriate 
statement and proof that the statement is coucct. The role of a confirmation issuers is to 
provide a verifier these two components. 

Expressing the statement is easy; that's just the appropriate leaf data structure. To assure 
the statement's validity, the verifier needs cryptogr^hic proof that the leaf representative 
of the revocation status of the certificate is a the leaf in a properly signed tree. This 
assurance consists of the signed root node and a set of intermediate nodes which 
cryptographically bind the appropriate leaf node to the root node. 

For example, for certificate 600 fi-om CAj, the appropriate statement is: 

If: CAx = CA, and 344 i X < oo Then: X is revoked if and only if X = 344. 

The verifier can hash this statement structure to get No,i. The supporting nodes in this 
example are No,i, Nu. Nz^o, and N3,i. The verifier can now use the secure hash fimction H 
to compute: 

N,,: - H(No.4 1 No,5) 
N2.i'H(Na|Nu) 
N.vn = H(N:,o|N2,j) 
N4,o = H(N3.o|N3,i) 

Finally, the verifier can check that N4.0 was properly signed by the trusted tree issuer with 
the correct date, etc. If the original statement structure was tampered with or if any of the 
intermediate hashes were changed, the verifier will get a different value for N4 0 than was 
N4,o signed by the tree issuer. 

Advantages of a CRT based system 

A CRT based approach has many advantages, notably: 

• Verification does not require knowledge of entire CRLs. 

• CRL caching and other optimizations are not required. 
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• Certificate holders can cflBdcntly confinnations of their own certificates so that 
verifiers do aot need to make any additional network connections. 

• The 5y5tem works with existing certificates, ORLs, etc, 

• The size of the supporting hashes is approximately 20]og2(N), where N is the 
number of revoked certificates. The system works eflSciently even if N is in the 
billions or trillions. 

• One tree with one signed root can provide proofe for all certificates in a chaLn, 
so only one public key operation can verify multiple certificates. 

• The system supports CA revocation. 

• AD supporting information found in CRLs can be included including the 
rev'ocation date/time, reason for revocation, etc. 
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Certium Server^" 

SS?^ ^T"" P,"''^'^" "^"^^ » ^date digital 

cemficat« to htetnet apptotions. The server implements the tree-issZce 

system based on CertjficateRevocarion Trees. "«nagcmcnr 

source code, developers" documentation and consult-ng 
assistance from Integtis to complete the integration work. ^ 

Highlights 



■ i N 1 PITS 

Minima] iKtwork 
Mid pmccsjiuju 
"vrilic:td 



to «,,,,«« • 5^'"P«'^«"sive Intranet confirmation issuer for any Intranet Ce^^^^ 

Uiiii<«„„fciigi„i Server. Pnmary features include: r "i««iei i.^rtittute 



ccrlincntcj 



. ruiiy K.-.po,tabit ~ Issiance of Certincate Relocation Tree based on bodi bcaJ 

ix-..dmebn,w,„ cerancate serrer or die globally operated Integris service 

J!!!!!!:!!^^ b) Issuance of cen,ficate confirmation to requesting applications. 

• Single and multi-threaded implementations included. 
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Cerlkim AppTication TooOdt™ 



c e R T I U M 
■ i N e F ITS 

♦ (imiOcMe Villi Aition 

♦ Scu)rs (o *ii|>pori 



V'ttlly cxjHirtHblc 



♦ [.ending browser 



The Certium application toolkit is a dcTdoper's toolkit that provides end user 
applicadons such as Web browsers and electronic mail clients with die ability 
to check the validity of digital certificates in real-time. The toolkit 
implements Ac verifier component of a certificate validity management 
sj-stem based on Certifiate Revocation Trees. A typical verifier consists of 
functionality for the creation of certificate confirmation requests, Ae \'alidarion of 
certificate confirmation respon$e, and the location of the nearest confirmation issuer. 

The toolkit includes C source code, developers' documentation and consulting 
assistance fix>m Int^ris to complete the integration work. 



Highlights 



Designed to woA witfi both the Integris operated Certium Service and any 
Certificate Ser^-er or Certificate Management System that incorporates the 
Certium Server. 

Non-repudiable certificate status proof may be obtained by certificate 
holder, recipient or third-parry. 

A transparent solution, end user typically unaware of validation. 

Thread-safe implemenudon, -arailablc on both Windows and UNIX. 

Cryptogr^hic code bases supported include Tipem/BSAFE and SSLEay, 
CryptoAPI 20 planned for 4Q 19% release. 

Implementation based on open standards: PKCS-7 RSA SHA-1 X-509 
ASN.1,HTTP. 

Toolkit license Includes both development and redistribution nghts. 
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